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SUMMARY 

NODEN  is  a  suite  of  programs  designed  to  perform  hardware  analysis  on  moderately 
complex  blocks  of  logic,  to  prove  the  correspondence  between  the  specification  and  imple¬ 
mentation  of  a  circuit.  It  is  intended  that  circuits  to  be  analysed  should  be  described  in  the 
NODEN  Hardware  Description  Language,  NODEN _HDL  (either  directly  or  by  translation 
from  other  hardware  description  languages  such  as  ELLA,  HILO  etc).  The  following  paper 
describes  the  basic  features  of  NODEN  and  the  circuits  it  can  reason  about.  The  bulk  of 
the  paper  describes  the  operations  performed  by  the  analyser  in  terms  of  set  operations. 

There  is  also  a  discussion  of  the  possible  representations  that  can  be  used  for  sets,  and 
the  operations  on  them.  This  leads  to  a  comparison  of  the  performance  of  a  number  of 
different  analysers,  based  on  different  internal  representations,  when  used  on  an  actual 
application. 
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Introduction 


NODEN  is  a  hardware  verificatioir  system  that  has  grown  out  of  RSRE’s  work  on  the 
VIPER  micro-processor  [CuUyer  87]  The  importance  of  hardware  verification  is  seen  as 
being  twofold;  firstly  there  is  a  class  of  applications  in  safety  and  security  critical  areas  for 
which  any  unanticipated  behaviour  of  the  system  (be  it  caused  by  hardware  or  software 
design  errors  or  hardware  failure)  is  unacceptable.  Secondly,  even  for  those  applications 
which  are  not  critical,  an  efficient  design  verification  system  could  lead  to  reduced  design 
testing  costs  and  reduce  the  risk  of  devices  being  supplied  to  customers  with  undiscovered 
errors,  with  the  inherent  cost  of  reworking  and  loss  of  customer  confidence.  The  work  to 
be  described  covers  certain  aspects  of  the  hsu-dware  design  verification  problem.  Software 
verification  and  hardware  fault  toleranco  are  subjects  of  different  research. 

Whilst  verifying  the  VIPER  design  [Cohn  87],  it  was  found  that  there  is  a  natural  divi¬ 
sion  between  the  high  level  abstract  descriptions  of  a  circuit  and  those  levels  closer  to  the 
implementation.  In  VIPER,  four  levels  of  description  were  produced,  from  the  most  ab¬ 
stract  top  level  specification,  through  the  major  state  (micro-program)  and  block  models, 
to  the  gate  level  implementation.  Proof  of  the  correctness  of  the  design  was  therefore  in 
three  parts;  proving  the  correspondence  between  the  major  state  model  and  the  top  level 
specification,  the  block  and  major  state  models,  and  finally  between  the  gate  level  imple¬ 
mentation  Sind  the  block  model.  The  first  two  of  these  are  similar,  particularly  as  in  both 
cases  the  two  descriptions  involved  have  different  views  of  time.  In  the  top  level  specifica¬ 
tion,  each  machine  instruction  is  described  as  an  atomic  event,  but  is  implemented  in  the 
major  state  model  by  the  execution  of  a  sequence  of  micro-instructions.  Similarly,  whilst 
the  major  state  model  sees  each  micro-instruction  as  an  atomic  event,  the  block  model 
sees  them  implemented  as  a  sequence  of  clock  cycles.  This  leads  to  these  two  proofs  being 
performed  in  a  similar  manner,  involving  a  machine  assisted  algebraic  technique  using  the 
HOL  theorem  checker  [Gordon  85]. 

Whilst  the  gate  level  to  block  model  proof  could  be  done  using  the  same  technique,  there 
is  a  difference  between  this  proof  eind  the  preceding  pair,  as  the  gate  level  and  block 
models  have  the  same  view  of  time.  These  two  descriptions  are  therefore  simply  different 
expressions  of  the  same  behaviour.  The  block  model  is  a  ‘human  orientated’  view  of  the 
requirement  in  a  comparatively  abstract  form,  whilst  the  gate  level  description  should  be 
functionally  identical  but  constructed  from  primitive  functions  that  have  some  physical 
significance.  This  enables  the  use  of  a  more  automated  proof  style.  For  VIPER,  a  tech¬ 
nique  called  intelligent  exhaustive  testing  was  developed  [Pygott  85).  Whilst  this  worked 
successfully  for  VIPER,  it  was  shown  that  it  could  be  pessimistic,  leading  to  correct  cir¬ 
cuits  being  rejected  as  erroneous  [Pygott  88].  NODEN  was  the  answer  to  this  problem.  It 
provides  an  automatic  proof  of  the  correspondence  (or  otherwise)  between  the  block  level 
specification  of  a  circuit  and  its  gate  level  implementation. 

Before  the  details  of  NODEN  are  considered,  it  should  be  said  that  there  is  an  alternative 
route  to  correct  circuits,  which  does  not  depend  on  post-design  verification,  but  produces 
the  design  by  meaning-maintaining  transformations  on  the  specification.  Such  techniques 
applied  to  the  top  levels  of  description  are  still  in  the  research  stage  [Brumfitt  87],  but  a 
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number  of  tools  such  as  GATEMAP  [Pitty  88]  and  LOCAM  [Praxis  89]  exist  to  synthesise 
a  circuit  from  its  block  level  description.  However  the  use  of  such  tools  does  not  remove 
the  need  for  NODEN  and  similar  tools.  As  the  synthesis  tools  are  so  complex,  they  will 
never  be  amenable  to  software  verification,  so  for  critical  applications  it  would  be  difficult 
to  trust  them  without  an  independent  check  on  their  operation.  Also,  the  designer  using 
these  tools  may  decide  to  optinuse  the  resulting  circuit  for  a  number  of  reasons,  so  a  veri¬ 
fication  route  is  required  to  prove  the  legality  of  the  optimisation. 

The  rest  of  this  paper  will  provide  an  introduction  to  NODEN,  its  type  model  and  the 
functions  it  supports.  This  is  followed  by  a  detailed  description  of  the  semantics  of  the 
built-in  functions  and  constructs.  As  the  usefulness  of  a  tool  such  as  NODEN  depends 
upon  the  complexity  of  circuits  it  can  analyse  and  how  long  that  analysis  takes,  the  next 
section  describes  a  number  of  machine  representations  that  can  be  used  to  implement  the 
analyser,  and  finally  the  results  of  applying  NODEN  to  a  practical  problem  (VIPER)  are 
discussed. 

2  The  NODEN  type  model 

Circuits  to  be  verified  are  presented  to  the  analyser  in  the  NODEN  Hardware  Description 
Language,  NODEN_HDL.  This  is  essentially  a  sub-set  of  ELLA  [Morison  84],  but  with 
some  additional  information  needed  for  verification.  This  section  and  the  one  that  follows 
are  intended  to  provide  an  overview  of  the  facilities  of  NODEN,  rather  than  provide  a 
detailed  syntactic  description  (which  can  be  found  in  [Pygott  89]).  One  reason  for  this 
is  that  the  circuits  may  never  be  directly  expressed  in  NODEN -HDL,  but  may  be  spec¬ 
ified  in  a  hardware  description  language  such  as  ELLA,  with  the  implementation  being 
described  in  a  netlist  language  such  as  HILO,  with  these  descriptions  being  translated 
into  NODEN-HDL.  This  overview  is  therefore  intended  to  indicate  those  feature  of  such 
description  languages  that  can  be  reasoned  about  by  NODEN. 

There  are  four  primitive  types  of  object  in  a  NODEN  description;  unconstrained  integers, 
constrained  integers,  wire  values  and  enumeration  values. 

In  principle,  an  unconstrsuned  integer  can  have  any  non-negative  value  from  0  to  infinity. 
In  practice,  the  upper  bound  of  the  integer  range  has  been  fixed  at  2*’’  -  1.  It  should 
be  noted  that  the  ansdyser  cannot  cope  with  integers  this  big,  as  the  size  of  the  internal 
expressions  generated  quickly  become  too  large  to  handle.  This  means  that  a  block  such 
as  a  32-bit  arithmetic  unit  should  be  described  as  a  number  of  slices,  and  the  behaviour 
of  the  slices  when  joined  together  determined  by  an  algebraic  theorem  prover. 

In  addition  to  the  unconstrained  integer  type,  NODEN  also  allows  the  user  to  define  con¬ 
strained  integer  types  (such  as  0..15  or  31. .56).  The  only  restrictions  on  the  lower  and 
upper  bounds  are  that  they  must  both  be  legal  unconstrained  integers,  and  the  upper 
bound  must  be  larger  than  the  lower  bound. 

A  wire  type  is  a  model  of  a  value  that  can  occur  on  a  single  wire,  such  as  a  boolean  signal. 
A  wire  type  is  therefore  indivisible.  This  should  be  contrasted  with  an  enumeration  type, 
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which  represents  the  value  of  a  group  of  signals.  For  example,  the  control  lines  to  an 
ALU  may  form  a  set  of  signeJs.  At  the  specification  stage,  the  individual  behaviour  of  the 
signals  is  not  important,  what  is  important  is  that  some  pattern  of  signals  is  required  for 
an  ADD,  a  different  pattern  for  SUB  etc.  The  enumeration  type  allows  the  specification 
to  be  written  in  an  abstract  manner,  with  the  implication  that  in  the  implementation  the 
single  enumeration  type  will  be  mapped  onto  a  number  of  physicsd  wire  values. 

Any  of  the  above  four  primitive  types  may  be  grouped  into  arrays  of  signals.  For  example 
an  array  of  six  signals,  each  of  the  wire  type  caUed  bool  is  said  to  be  of  type  [6]bool.  Any 
combination  of  wire  types,  enumeration  types,  integers  and  arrays  can  be  combined  to 
form  compound  objects  (or  structures).  For  example,  a  value  called  complex  may  be  of 
type; 


(bool,  Bord4,  (tristate,  bool),  bool) 

It  is  a  user  definable  option  as  to  whether  arrays  and  structures  are  indexed  from  ele¬ 
ment  1  as  the  least  significant  (as  ELLA  and  most  HDL’s)  or  0  (as  for  HOL),  If  the  lower 
bound  of  arrays  is  1,  then  in  the  above  example,  complex[l]  is  of  type  bool,  complex[2]  is 
of  type  word4  etc.  Multiple  levels  of  indexing  are  achieved  such  that  complex[S][lJ  is  of 
type  tristate.  Note  that  if  word4  is  an  array,  the  first  member  of  the  array  is  also  indexed 
in  the  same  maimer,  ie  as  complex[2jll]. 

NODEN-HDL  allows  arrays  and  structures  to  be  sliced,  so  that  complex[l..2j  would  be  a 
structure  of  type  (bool,word4).  Arrays  of  the  same  wire  or  enumeration  type  may  also  be 
concatenated  using  the  COfiC  operator. 

As  well  as  values  made  up  of  the  members  of  a  type,  each  type  is  assumed  to  have  separate 
‘don’t  care’  and  ‘illegal’  (or  ‘undefined’)  values.  That  is,  the  user  may  specify  a  signal  to 
be  the  dont-care  value  of  a  particular  type  under  some  circumstances,  with  the  implication 
that  the  implementation  can  deliver  any  value  under  those  circumstances.  This  is  indicated 
by  the  use  of  the  type  name  as  a  ‘wild  card’  value,  and  should  be  contrasted  with  the 
interpretation  of  an  incomplete  description  (for  example  the  optional  ELSE  part  omitted 
from  an  IF. .THEN. .ELSE. .FI  statement),  when  the  analyser  will  regard  the  statement  as 
having  an  undefined  value  of  the  appropriate  type  under  the  circiunstances  for  which  no 
value  is  defined  (section  5.4).  For  example,  the  NODENJIDL  statement:- 

IF  a«b  TBEI  c  ELSE  bool  FI 

delivers  the  value  c  when  a  =  b,  and  the  boolean  ‘don’t  care’  value  otherwise.  If  this  is 
part  of  the  specification  of  the  circuit,  this  says  that  the  implementation  must  deliver  the 
value  c  when  a  =  b,  but  can  deliver  any  value  at  other  times.  This  should  be  compared 
with  the  interpretation  of:- 

IF  a>b  THER  c  FI 

which  delivers  the  value  c  when  a  =  b,  and  is  otherwise  undefined.  If  this  is  part  of  the 
specification  of  a  circuit,  this  would  be  regarded  as  illegal  (if  a  could  ever  be  unequal  to 
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6),  as  the  specification  must  deliver  a  defined  value  under  all  input  conditions. 

The  majority  of  a  NODEN  description  consists  of  type  definitions  and  functions.  Type 
definitions  allow  the  user  to  define  new  wire,  enumeration  and  constrained  integer  types. 
The  unconstrained  integer  type  is  always  available. 

A  new  wire  type  is  declared  as;- 

TYPE  typenamc  =  WIRE  (name  1  name  |  . name). 

typename  is  the  name  of  the  type,  whilst  the  names  in  brackets  (separated  by  ‘|’s)  are  the 
vtdues  that  that  type  can  have.  The  predefined  boolean  type  is  effectively  defined  as;- 

TYPE  bool  =  WIRE  (  t  II). 

A  new  enumeration  type  is  declared  as;- 

TYPE  typename  =  HEW  type  (  name  =  #  bool  list  |  .  )  . 

typename  is  th6  iiame  of  the  enumeration  type.  All  enumeration  types  correspond  to  a 
group  of  booleans  in  the  implementation,  the  type  indicates  the  size  of  that  group.  Each  of 
the  members  of  the  enumeration  type  are  specified  as  name=#6oollist,  where  the  name 
is  the  name  of  the  type  member  and  the  boollist  is  the  representation  of  that  member 
in  the  implementation,  and  consists  of  a  list  of  the  appropriate  number  of  O’s  (false),  I’s 
(true)  and  x’s  (dont-csure).  The  mapping  of  arrays  of  booleans  to  enumeration  types  and 
vice  versa  is  discussed  in  sections  5.6  and  5.7.  For  initial  definition  and  simulation,  the 
representations  can  be  omitted  as  in  the  first  of  the  following  examples  (in  which  case  the 
members  will  be  given  a  representation  equivalent  to  a  binary  count  from  0):- 

TYPE  alucontrol  «  HEW  [4]bool  (  add  I  sub  I  shift  }, 

counter  «  HEW  vord2  (r«E«t>*0x  I  inc««10  I  load**ll). 

A  new  constrained  integer  type  is  declared  as;- 

TYPE  typename  =  IHT  [integer jezpression  ..  integer. expression], 

as  in:- 

TYPE  four .bit  «  IHT [0.. 15]. 

S  NODEN  functions 

Behaviour  is  described  to  NODEN  in  terms  of  functions.  Each  function  has  a  set  of  inputs 
and  outputs,  and  may  contain  internal  states  (memory).  The  purpose  of  the  function 
descriptions  is  to  define  how  the  outputs’  behaviour  depends  upon  the  values  of  the  inputs, 
and  the  current  values  of  any  internal  states.  The  function  description  must  also  define 
how  the  next  value  of  the  internal  states  is  derived  from  the  same  information.  That  is,  as 
in  ELLA  there  is  an  implied  global  clock  that  synchronises  all  state  transitions,  and  the 


5 


descriptions  of  functions  with  internal  states  define  the  value  the  state  variables  wiU  take 
after  the  next  implied  clock.  This  means  that  NODEN  can  only  reason  about  synchronous 
logic. 


3.1  Function  signatures 

NODEN  recognises  three  basic  function  types;  auxiliary  functions  (FNs),  BLOCKs  tind 
CIRCUITS.  Auxiliary  functions  are  all  those  functions  used  to  construct  the  description 
of  a  circuit,  but  which  have  no  particular  physical  significance.  BLOCKs,  on  the  other 
hand,  are  functions  which  are  identifiable  in  both  the  specification  and  implementation. 
That  is,  for  any  circuit  that  is  to  be  verified,  the  specification  description  will  contain 
a  BLOCK  which  defines  the  required  behaviour  in  terms  of  primitive  operations  and  if 
required,  auxiliary  fimctions.  The  implementation  description  will  contain  a  BLOCK  that 
represents  the  implementation  of  the  circuit.  This  will  have  the  same  inputs  and  outputs 
as  the  specification  BLOCK  (and  the  same  internal  states). 

It  has  already  been  said  that  some  circuits  maybe  too  complex  for  NODEN  to  analyse, 
but  the  NODEN_HDL  description  may  describe  how  these  more  complex  circuits  can  be 
constructed  from  the  BLOCKs  that  it  can  verify.  This  is  done  by  CIRCUIT  functions.  So 
the  description  of  a  32-bit  arithmetic  unit,  which  caimot  be  analysed  directly,  can  be  par¬ 
titioned  into  4-bit  slices  (represented  as  a  BLOCK  that  can  be  verified)  and  a  CIRCUIT 
which  describes  how  the  32-bit  ALU  is  constructed  from  eight  of  the  4-bit  slices.  CIR¬ 
CUITS  are  ignored  by  the  NODEN  anadyser,  but  may  be  used  as  part  of  the  input  to  an 
algebraic  prover  in  order  to  reason  about  the  more  abstract  levels  of  description  of  a  system. 

Auxiliary  functions  and  BLOCKs  have  similar  signatures,  in  that  both  define  the  name 
of  the  function,  me  type  of  its  inputs  and  their  loctd  names,  and  the  type  of  its  outputs. 
The  only  difference  is  that  a  BLOCK'S  outputs  are  named  whilst  an  auxiliary  function’s 
are  not.  For  example;- 

FB  EXAMPLE. FB  =  (bool:  count  clear,  vord4:  reg)  ->  (aord4,bool) : 


BLOCK  B1  =  ([4]bool:  bus,  bool:  rssat)  ->  (bool:  opl,  tristata:  op2): 


In  the  first  example,  an  auxiliary  function  is  defined  to  take  two  boolean  values  named 
count  &  clear  and  a  word4  value  named  rep,  and  deliver  a  structure  of  type  (word4,  bool). 
Similarly  the  BLOCK  B1  is  defined  as  having  two  inputs  and  delivering  a  structure  of  type 
(bool,tri3tate),  with  the  two  members  of  this  structure  being  ntuned  as  indicated.  These 
names  are  used  by  the  analyser  and  comparison  programs  to  refer  to  a  particular  signal  in 
their  output  listings.  That  is,  they  are  not  used  in  the  definition  of  the  function. 

S.2  Function  bodies 

The  body  of  a  function  either  consists  of  a  single  NODEN  statement,  the  value  of  which 
is  the  value  delivered  by  the  function,  or  a  collection  of  local  definitions  and  a  final  output 
statement.  For  example:- 
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FH  A.SOT.B  =  (bool;  a  b)  ->  bool:  a  AHD  (HOT  b) . 


FI  A.IBV.B  =  (bool:  a  b)  ->  bool: 

BEGIH  LET  not.b  =  HOT  b. 

LET  a. not.b  ■>  a  AHD  not.b. 

OUTPUT  a.not.b 

EBD. 

These  two  functions  describe  identical  behaviour,  where  HOT  and  AID  are  two  auxiliary 
functions.  In  general,  any  function  is  applied  to  a  set  of  variables  as  in  Fl(a,b,c,d),  but 
monadic  functions  such  as  HOT  do  not  need  the  brackets,  and  dyadic  functions  sucL  as  AHD 
can  be  in-fixed  as  shown  above.  HOT  and  AID  are  actually  two  of  the  built-in  functions 
that  wiU  be  described  later. 

NODEN-HDL  supports  two  conditional  statements,  CASE  and  IF.  The  CASE  statement  is 
of  the  form:- 

CASE  ezpO  OF  valuel  : expl ,  value2:exp2,  ...  ELSE  expn  ESAC 

Where  expO  is  an  expression  that  delivers  a  wire  type,  an  enumeration  type  or  an  integer 
vsdue.  valuel,  value2  etc  are  different  members  of  the  type  delivered  by  ezpO.  When 
ezpO  has  the  value  valuel  the  statement  delivers  expl,  when  eipO  is  value2  the  statement 
delivers  exp2  etc..  Not  aU  the  members  of  the  type  need  explicitly  appear  as  limb  selectors, 
and  if  cipO  can  ever  have  a  value  that  doesn’t  match  one  of  the  selectors,  the  stateiuent 
delivers  the  value  expn.  The  ELSE  expn  part  of  the  CASE  statement  is  optional  and  if  absent 
leads  to  the  result  of  the  statement  being  undefined  for  any  value  of  expO  not  covered  by 
the  limb  selectors.  NODEN  also  supports  sm  ‘IF-THEN-ELSE-FI’  construct,  such  that:- 

IF  axpl  TBEH  •xp2  ELSE  axpS  FI 

is  identical  to:- 

CASE  axpl  OF  t:  •xp2,  ELSE  axpS  ESAC 
3.3  State  variables 

In  order  to  introduce  state  information,  a  special  class  of  functions  (known  as  DELAY 
functions)  sire  required.  These  are  created  as  in:- 

DELAT  DELAY.BOOL  >  bool. 

This  creates  a  function  ctdled  DELAY.BOOL  with  a  single  input  of  type  bool  and  a  single 
output  of  the  same  type.  The  output  of  this  function  is  the  input  vsdue  delayed  by  one 
clock  cycle. 

As  so  far  described,  no  statement  can  contsdn  a  vsdue  that  has  not  already  been  declsued, 
either  as  a  member  of  a  particular  type,  as  an  input  to  the  function  or  as  an  expression 
named  by  a  previous  LETS.  However,  without  some  other  mechanism  it  would  be  impossible 
to  describe  circuits  that  have  feedback.  For  example,  if  D.TYPE  is  a  function  that  is  to  model 
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a  d-type  latch  with  data  and  gate  inputs  and  a  single  output  (g),  then  what  is  required  is 
that  the  output  after  the  next  implied  clock  should  follow  data  if  gate  is  true,  or  otherwise 
should  be  the  same  as  the  current  output  state.  This  camnot  be  written  as:- 

FH  D.TYPE  •  (bool:  data  gata)  ->  bool: 

BEGH  LET  q  «  DELlY.BOOLflF  gata  THE*  data  ELSE  q  FI) 

OUTPUT  q 

EBD. 

as  the  name  g  is  used  on  the  right  hand  side  of  the  assignment  before  the  assignment  is 
completed.  To  overcome  this,  it  is  possible  to  use  a  HiKE  statement  to  indicate  that  a 
function  of  a  particular  type  is  to  be  defined  later  in  the  description,  but  that  the  name 
associated  with  that  function  is  immediately  available.  Before  the  end  of  the  function  being 
defined,  the  inputs  to  any  functions  made  in  this  way  must  be  defined  by  JOIH  statements. 
These  are  identical  to  the  MAKE  and  JOIH  statements  in  ELLA.  The  above  example  can 
therefore  be  legally  expressed  as:- 

FH  D.TYPE  =  (bool:  data  gata)  ->  bool: 

BEGIH  HAKE  DELAY. BOOL:  q. 

JOIH  IF  gata  THEH  data  ELSE  q  FI  ->  q. 

OUTPUT  q 

EHD. 

The  NODEN  HDL  compiler  checks  that  any  loops  created  as  above  contain  at  least  one 
DELAY  function,  so  that  their  behaviour  is  synchronous.  Whilst  it  is  perfectly  possible  to 
describe  a  circuit  such  as  a  pair  of  cross  coupled  NAND  gates,  these  form  an  asynchronous 
memory  device,  and  so  the  circuit  cannot  be  analysed, 

3.4  Predefined  functions 

NODEN  supports  a  number  of  predefined  functions.  These  can  be  grouped  into  four 
classes;  boolean,  comparisons,  numerics  and  mappings.  The  basic  boolean  operations  con¬ 
sist  of  inversion  (HOT),  AHD  and  OR.  However,  to  simplify  (and  improve  the  efficiency  of) 
translating  from  a  gate  level  hardware  description  language  such  as  HILO  to  NODEN  JiDL, 
these  are  extended  to  three,  four  and  eight  input  AHD  and  OR  functions  (AHD3,  0R4  etc) 
and  their  inverses  (HAHD,  HORS  etc).  There  is  also  a  predefined  boolean  selection  function 
SEL2,  such  that;- 

SEL2(a,b,c)  s  IF  a  THEH  b  ELSE  c  FI 

NODEN  supports  the  six  possible  numeric  comparison  operators  between  unconstrained 
integer  values  (ie  =  =  ,  /  =,  <,  <  =  ,  >,  >  =  ).  It  also  supports  equality  and  inequality  (  =  = 
&  /  =)  operations  between  values  of  the  same  wire  or  enumeration  type,  and  between 
arrays  of  wire  or  enumeration  values.  All  these  operations  deliver  boolean  results. 

There  are  basically  two  numeric  operations  defined  in  NODEN,  -t  and  -.  Both  are  de¬ 
fined  between  unconstrained  integers  and  deliver  unconstrained  integer  results.  It  should 
be  remembered  that  all  unconstrained  integers  are  defined  to  be  positive,  but  the  -  oper¬ 
ator  may  lead  to  a  negative  value  being  debvered.  This  is  usually  an  error  and  will  raise 
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an  exception  in  the  analyser  to  say  tl  e  analysis  has  failed.  The  exception  detection  and 
handling  mechanism  is  discussed  in  section  6.4.2. 

NODEN  supports  three  groups  of  mapping  operators;  arrays  of  booleans  to/from  uncon¬ 
strained  integers,  constrained  integers  to/from  unconstraitu  d  integers,  and  enumeration 
types  to/from  arrays  of  booleans.  Arrays  of  booleans  are  mapped  to  integers  with  the 
VALn  operators,  that  is  ViL4  maps  an  array  of  four  booleans  to  an  integer  (in  the  range 
0  to  15)  etc.  WORDn  operations  provide  the  converse  functions.  It  should  be  noted  that 
HORDn  operations,  like  -,  may  raise  an  exception,  if  the  value  being  mapped  can  ever  be 
too  large  to  be  represented  by  n  booleans  (eg  H0RD4  16). 

The  other  four  classes  of  mapping  functions  are  not  automatically  available,  but  have  to 
be  requested  and  named.  If  FI  is  to  be  a  mapping  function  from  an  enumeration  type 
counter  to  an  array  of  two  booleans,  it  is  specified  as:- 

MAP  FI  =  counter  ->  [2]bool. 

Mapping  from  constrained  to  unconstrained  integers  is  always  possible,  and  simply  informs 
the  NODEN  compiler  to  change  the  type  of  a  value.  However,  mapping  from  unconstrained 
to  constrained  integers  involves  checking  that  the  unconstrained  value  is  always  in  the  con¬ 
strained  range,  and  raising  an  exception  if  it  can  ever  fall  outside  that  rtinge. 

Mapping  between  enumeration  types  and  arrays  of  booleans  is  always  possible  (with  no 
exceptions),  and  uses  the  representation  defined  for  each  member  of  the  enumeration  type 
when  it  was  declared. 

3.5  NODEN-HDL  example 

As  an  example  of  the  use  of  NODEN,  here  is  the  specification  of  the  behaviour  of  the 
SN74163  synchronous  4-bit  counter  [Texas].  The  first  four  lines  define  an  integer  type 
with  a  range  0  to  15,  a  delay  function  for  that  type  and  mapping  functions  between  that 
type  and  the  unconstrained  integer  type  .intagar.  The  auxiliary  function  IBC4  then 
describes  the  effect  of  incrementing  an  integer  of  type  fourbit.  Note  that  the  case  of  v 
having  its  me-'imum  value,  15,  is  treated  separately,  so  that  the  addition  operation  will 
never  generate  a  value  that  causes  an  exception  to  be  raised  by  UORD-4. 

The  circuit  of  interest  is  described  by  the  BLOCK,  SN74163.  This  defines  the  inputs  into 
the  circuit,  the  outputs  from  it,  and  the  internal  states  (defined  by  the  LATCH4  function 
count).  The  next  value  of  count  is  than  defined  in  terms  of  the  input  values  and  the 
current  state  of  count,  and  finally  the  values  of  the  outputs  are  specified. 

The  implementation  of  this  circuit  would  be  defined  in  a  similar  manner  (not  shown  here), 
with  a  function  representing  the  counter  being  defined  as  a  BLOCK  with  the  same  sig¬ 
nature  as  SN74163.  The  contents  of  this  block  would  represent  the  network  of  primitive 
gates  used  to  implement  the  counter. 

TYPE  lourbit  *  IIT  [0..16]. 
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DELIY  LATCH4 


lourblt . 


HAP  VALUE4  =  lourbit  ->  .integer. 
HAP  WORD. 4  •  .integer  ->  lourbit. 


FH  IHC4  «  (lourbit:  v)  ->  lourbit: 

W0RD.4(  IF  (VALUE4  v)»«lB  THEH  0  ELSE  (VALUE4  v) 


1  FI  ). 


BLOCK  SB74163  °  (lourbit:  detain,  bool: 

(lourbit:  current,  bool: 
BEGII  HAKE  LATCH4:  count. 


loadbar  clearbar  penb  tenb)  -> 
ripple): 


LET  next. count  •  IF  clearbar 
ELIF  loadbar 
ELIF  penb  AHD 


«=  f 

THEH 

H0RD.4  0 

«•  1 

THEH 

datain 

tanb 

THEH 

ELSE 

IHC4  count 

count 

FI. 

JOIK  next. count  ->  count. 

OUTPUT  (count,  tenb  ADD  ((VALUE4  count)  =«  16)  ) 

EBD. 


4  The  use  of  multi-valued  logic 

The  ftmetion  of  the  NODEN  analyser  is  to  find  the  way  in  which  each  of  the  outputs  of  a 
block  depends  upon  the  block’s  inputs.  To  this  end,  the  next  state  of  a  memory  element 
is  regarded  as  an  additional  output,  and  its  current  state  as  a  further  input  to  the  block. 
If  the  set  of  all  possible  input  values  to  a  block  defines  its  input  space,  what  is  required 
for  each  output  is  an  expression  that  indicates  the  set  of  states  from  the  input  space  that 
causes  the  output  to  have  some  particulsir  value.  Before  a  detailed  description  of  the  op¬ 
erations  performed  by  the  NODEN  einalyser  is  undertaken,  some  consideration  should  be 
given  to  the  effect  of  multi-v2ilued  logic  on  set  maitipulation. 

A  conventional  boolean  expression  of  three  variables  o,  b  and  c,  such  as  d  ■*=  a  6  •  c  is 
interpreted  as  “d  is  true  if  a  is  true  or  if  6  is  false  and  c  is  true”.^  This  interpretation 
depends  upon  a  number  of  conventions;  firstly  that  unless  otherwise  indicated  expressions 
are  written  to  indicate  when  the  value  is  true,  and  that  the  name  of  a  variable  means 
the  conditions  under  which  that  variable  is  true,  whilst  the  name  of  a  variable  with  a  bar 
over  it  means  the  conditions  under  which  that  variable  is  false.  What  is  actually  being 
described  by  this  expression  is  the  set  of  states,  from  the  set  of  eight  possible  states  of  a 
b  and  c,  for  which  d  is  true.  This  provides  a  complete  definition  of  d.  as  being  a  boolean 
value,  it  can  only  ever  have  the  states  true  or  false,  so  any  input  state  that  is  not  a  member 
of  the  set  defined  by  the  above  expression  must  lead  to  d  being  false. 


’Note  thst  in  writing  mn  ezpresiion  the  effect  of  taking  the  union  of  two  sett  wili  be  shown  as  -e,  whiist 
the  union  operator  between  expressions  is  written  as  U.  Similarly  the  effect  of  the  intersection  operator 
is  shown  as  -  whilst  the  operator  it  ri.  At  is  conventional  it  will  be  assumed  that  intersection  binds  more 
tightly  than  union 
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Whilst  the  above  convention  is  acceptable  for  purely  boolean  expressions  there  are  two 
reasons  why  it  is  desirable  to  be  able  to  reason  about  values  with  more  than  two  states. 
Firstly,  some  signals  commonly  met  in  electronics  naturally  have  more  than  two  states.  A 
triatate  signal,  as  implied  by  its  name,  has  three  possible  states;  high,  low  and  z.  Sec¬ 
ondly,  it  may  be  desirable  to  describe  the  behaviour  of  some  device  in  terms  of  an  abstract 
variable  with  a  number  of  possible  states,  which  will  be  implemented  as  a  collection  of 
simpler  (possibly  boolean)  signals.  For  example  the  control  input  to  an  arithmetic  unit 
may  be  said  to  have  the  states  add,  subtract,  shift  etc,  whilst  the  implementation  consists 
of  a  set  of  boolean  signals,  with  a  defined  state  representing  each  of  the  abstract  control 
vsdues.  If  e  and  /  are  tristate  values,  it  is  quite  sensible  to  state  that  ei,igi,-b+e,-c, 

to  mean  that  “/  has  the  value  high  when  e  is  high  and  b  is  false  or  when  e  has  the  value  z 
and  c  is  true”.  It  should  be  noticed  that  this  is  not  a  complete  description  of  /,  as  when  the 
inputs  are  in  a  state  which  is  not  a  member  of  the  above  set,  it  is  clear  that  f  must  be  low 
or  z,  but  it  is  not  known  which.  A  second  expression  is  needed  to  complete  the  description. 

In  general,  a  value  with  n  possible  states  can  be  completely  defined  by  n  -  1  expressions 
which  describe  the  condition  under  which  it  is  in  n  — 1  of  its  possible  states.  It  will  be  in  its 
state  for  any  input  state  with  is  not  covered  by  these  expressions.  In  practice  NODEN 
does  not  make  use  of  this  property,  but  defines  all  n  states.  This  avoids  the  necessity  of 
implementing  a  set  difference  operator  to  find  when  a  value  can  be  in  the  n'*  state. 

Therefore,  a  value  v  with  n  possible  states  can  be  defined  by  n  expressions  r,  (t  =  1  to  n), 
where  tij  defines  the  set  of  inputs  states  which  leads  to  t>  being  in  state  i.  Clearly  for  any 
given  input  state,  v  can  only  be  in  one  particular  state.  It  must  therefore  be  the  case  that 
the  intersection  between  any  pair  of  expressions  »,  and  u,  is  the  empty  set  (0).  Also  aU 
input  states  must  define  a  result  state,  so  the  union  of  all  of  the  n  expressions  must  equal 
the  set  of  all  possible  input  states  (1). 

n 

That  is:-  i  ^  j  =>  {vi  n  vj)  =  0  and  (J  I’l  =  1 

•  si 

These  properties  can  be  used  to  check  the  correct  operation  of  the  NODEN  analyser.^ 


5  Non-numeric  analyser  operations 

The  NODEN  compiler  generates  a  series  of  instructions  to  the  analyser,  which  correspond 
to  a  collection  of  built  in  functions  and  operations.  Whilst  it  is  not  the  intention  of  the 
following  two  sections  to  describe  the  detailed  formats  of  these  instructions,  the  algebra 
performed  by  them  is  the  basis  for  all  the  claims  made  for  the  NODEN  verification  suite 
and  so  will  be  described  in  detail. 

This  section  considers  those  actions  that  can  be  performed  on  non-numeric  (ie  wire  and 
enumeration)  types,  whilst  section  6  considers  numerics.  Neither  section  will  explicitly  de¬ 
scribe  structures  of  values,  as  these  ceui  easily  be  constructed  imd  manipulated  as  a  series 

’These  properties  only  hold  for  non-numeric  values,  for  numerics  sec  section  S.l 
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of  primitive  non-numeric  or  numeric  values.  Hence  the  formation  of  structures 

CONC  and  the  selection  smd  slicing  of  values  from  structures  ‘-p]’  or  wiU 

not  be  considered  explicitly. 

The  actions  and  operations  to  be  described  will  be  in  terms  of  the  set  expressions  that 
represent  when  a  value  is  in  a  particular  state.  These  operations  are  independent  of  the 
representation  of  the  expressions.  A  number  of  possible  representations  will  be  discussed 
in  section  7. 

5.1  Representation  of  values 

Wire  and  enumeration  values  are  represented  in  the  same  manner.  For  a  type  with  k 
members  mj  to  m*,  a  value  is  represented  as  a  set  of  it  +  2  expressions.  The  first  k  of  these 
indicate  when  the  value  is  in  states  rri  to  m*,  whilst  the  remaining  two  indicate  when  the 
value  has  either  been  declared  to  be  irrelevant  (the  don’t  care  or  X  state)  or  when  it  is 
undefined  (the  U  state).  That  is,  a  value  a  of  it  states  is  represented  by  a  set  of  it  -(■  2 
expressions:  (i  =  1  to  it),  X^  and  Ua- 

Boolean  values  (which  have  two  states  ‘f’  and  ‘/’)  will  be  treated  as  a  special  case.  Whilst 
these  could  be  represented  as  a  set  of  expressions;-  Kj_y,  Xa,  14],  these  occur 

so  frequently  in  the  following  descriptions  that  it  is  convenient  to  rename  the  first  two 
expressions.  A  boolean  value,  a,  is  therefore  represented  as:-  (Ta,  Fa,  Xa,  £.4]. 

When  a  constant  value  of  a  type  with  k  members  is  required  (including  don’t  care  and  un¬ 
defined),  a  structure  of  it  -I-  2  expressions  is  created,  with  the  required  member  equal  to  the 
universal  set  (1)  and  all  other  expressions  being  the  empty  set  (0).  So  for  a  boolean  value, 
[1, 0,0,0]  is  the  representation  of  the  constant  ‘true’;  [0,0, 1,0]  is  the  boolean  don’t  care  etc. 


5.2  Input  values 

An  input  value  for  a  block  is  the  value  the  NODEN  analyser  associates  with  a  particular 
input  signal.  It  should  be  noted  that  there  is  a  subtle  difference  between  the  conceptual 
input  and  the  analyser  input  value.  If  a  is  an  input  to  the  block  under  consideration 
and  is  of  a  type  with  k  members,  then  the  analyser  value  representing  a,  as  previously 
discussed,  will  consist  of  ^  -f  2  expressions.  However,  the  don’t  care  and  undefined  states 
are  properties  of  the  analysis  process,  not  of  the  input.  An  actual  input  signal  must  be  in 
one  of  its  k  member  states.  The  analyser  value  representing  a  must  therefore  define  a  set 
of  expressions  that  show  a  in  its  k  legal  states  but  never  in  the  don’t  care  or  undefined  state. 

For  example,  if  a  is  a  boolean,  the  analyser  value  associated  with  a  would  be:-  [a,  a,  0,  0]. 


6.S  Boolean  operations 

If  a  is  a  boolean  value  (with  the  representation  discussed  above),  then  the  inverse  of  a  is:- 
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NOT  a  =>  [Fa,  Ta,  0,  A'a  U  Fa] 


Note  whenever  a  is  either  in  its  don’t  care  or  undefined  state,  the  result  is  undefined.  It  is 
arguable  that  the  inverse  of  the  don’t  care  state  shotild  be  don’t  care,  but  it  was  felt  that 
this  was  contrary  to  the  intended  meaning.  It  was  intended  that  don’t  care  should  imply 
that  under  some  set  of  conditions  the  value  would  not  be  used,  but  applying  NOT  to 
the  value  is  using  it,  hence  the  result  should  be  undefined  rather  than  don’t  care.  Whilst 
either  definition  of  NOT  is  sensible,  the  one  above  is  the  one  implemented  by  the  analyser. 

The  basic  boolean  combinatorial  operation  is  AND.  This  is  defined  as:- 

AND{a,b)  =>  [T,  n  Ts,  Fa  u  Fs,  0,  ((,Va  u  F^)  n  (Ts  u  Jfs  u  Fs))  u  (T.  n  (A-s  u  Fs))] 

That  is,  it  is  true  whenever  a  suid  6  are  true,  false  whenever  a  or  6  is  false,  and  is  undefined 
tmder  all  other  circumstances. 

The  NODEN  analyser  also  supports  AN  D3,  AN Di  and  AN DS,  being  three,  four  and 
eight  input  AN D  functions.  These  can  be  constructed  from  the  above  function  in  the 
expected  maimer. 

The  analyser  supports  N AND,  N AND3,  NAND4  and  NAND6,  being  the  above  four 
functions  followed  by  NOT. 

The  analyser  supports  the  OR  operator,  where:- 

OR{a,b)  =>  NOT{(NOT  a)  AND  {NOT  b)) 

As  with  AND,  this  is  extended  to  provide  OR3,  ORi,  ORS,  NOR,  NOR3,  NOR4  and 
NORS  operations. 

The  final  boolean  operations  directly  supported  by  the  analyser  is  a  select  ftmction,  where:- 
SEL2{a,  b,  c)  =>  (a  AND  b)  OR  {(NOT  a)  AND  c)  =  IF  a  THEN  b  ELSE  c  FI 


5.4  Conditioned  statements 

The  basic  conditional  statement  in  NODEN -KDL  has  the  form:- 

CASE  a  OF 
ml:  •!, 
m3:  *3, 
m4:  *4 
ELSE  other 
ESAC 

If  o  is  of  a  type  with  k  members  mj  to  m*,  then  the  CASE  statement  above  can  be  re¬ 
garded  as  an  operator  applied  to  a  and  k  expressions  F,]  to  Eg/,,  such  that  whenever  a  has 
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the  value  mj  the  result  is  delivered,  etc.  Should  the  source  text  not  supply  a  result 
expression  for  till  the  members  of  a,  then  the  default  result  Eoihtr  is  used.  Thus  in  the 
above  example,  if  a  is  of  a  type  with  five  members,  Esther  is  used  as  JS,}  and  E^.  Should 
the  ‘ELSE  clause  be  absent  in  the  source  text  Eoti^„  is  taken  to  be  an  undefined  value 
of  the  appropriate  type. 

Each  of  the  expressions  £,1  to  £,*  and  Eother  must  be  of  the  same  type,  and  if  this  is  a 
non-numeric  type  with  /  members,  then  the  result  expression  R  will  also  be  of  the  same 
non-numeric  type.  R  will  be  in  a  particular  state  whenever  the  result  expression  selected 
by  a  is  in  the  same  state,  '*  that  is:- 

k 

fori  =  1  to  1;  <=  (J  n  Fe,™, 

i=i 

This  also  holds  for  the  don’t  care  state:* 

k 

J=1 

Finally,  the  result  is  in  an  undefined  state  whenever  the  selected  expression  is  undefined 
or  whenever  a  is  itself  undefined  or  don’t  care:- 

k 

Ur  XaV  U,U  (J  n  L% 

j=i 

If  the  result  expression  is  a  structure  of  primitive  values,  then  the  effect  of  the  CASE  state¬ 
ment  can  be  determined  by  applying  the  above  operator  to  each  of  the  primitive  values  in 
turn.  The  effect  of  the  result  or  selector  expressions  being  a  niuneric  value  is  discussed  in 
section  6.5. 

The  NODEN  JIDL  language  also  contains  a  boolean  conditional  statement:- 
IF  •!  TBEI  *2  ELSE  *3  FI 

This  is  simply  a  special  case  of  the  CASE  statement  described  above,  and  is  analysed  as:- 
CkSE  •!  OF  t:  *2  ELSE  a3  ESAC 
Similarly  the  following  two  nested  conditionals  are  equivalent 

IF  •!  THEI  *2  ELIF  *3  TEES  *4  ELSE  *3  FI 


*The  expression  represents  the  conditions  under  which  a  particular  limb  of  the  case  statement 

is  delivered.  These  are  the  conditions  used  to  determine  if  any  errors  in  the  evaluation  of  the  limb  are  to 
be  reported.  See  sections  6.4.2,  6.7  and  6.6 
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and  CASE  al  OF 
t:  a2 

ELSE  CASE  *3  OF 
t;  *4 
ELSE  aS 
ESAC 

ESAC 


5.5  Equality  operator 

For  all  wire  and  enumeration  types,  NODEN  accepts  sm  equality  operator  ‘  =  =;’.  The 
result  of  applying  this  operator  between  two  values  a  and  6  (which  are  of  the  same  type, 
and  have  A  members),  is  a  boolean  value.  The  result  Ji  is  true  whenever  a  and  t  are  in 
the  same  legal  states  (mi  to  m*),  false  whenever  they  are  in  different  legal  states,  and 
undeffned  whenever  a  or  6  are  undefined  or  don’t  care.  That  is:- 

k 

Tr  <=  \J  n 

h  k 

<=  U  U  n  (i  yf  j) 

1  =  1  ^'=1 

Xr  <=  0 

Ur  <s  Jfa  U  I'.  U  A-(,  U  I's 

The  inequality  operator  is  defined  as  the  inverse  of  the  above,  ie:- 
a/=  6  =  NOT(a  ==  b) 


An  equality  operator  is  also  defined  between  arrays  of  values  of  the  same  type.  If  a  and  6 
are  arrays  of  values  of  length  n,  so  that  the  members  of  the  array  are  o[l]  to  a[n]  and  bjl] 
to  6[n],  then  a  ==  6  is  defined  as:- 

(a[l]  ==  5[lj)  AND  (o[2]  =:=  6(2])  AND - AND  (o[nl  ==  6[n]) 

Again  the  inequality  operator  is  simply  NOT  applied  to  the  above 

5.0  Mapping  enumeration  types  to  booleans 

For  all  enumeration  types  there  exists  an  operator  to  map  a  value  of  that  type  onto  an 
array  of  booleans  (with  the  representation  defined  or  implied  in  the  source  text).  If  a 
is  of  an  enumeration  type  with  k  members  (mi  to  m*),  and  a  mapping  is  defined  from 
this  type  to  an  array  of  n  booleans,  then  internally  a  set  of  representation  functions  exist, 
REP.  Where  REP{mi,j)  delivers  true  (()  if  the  bit  of  member  m,  is  defined  to  be 
true;  delivers  false  (/)  if  the  bit  m,  is  defined  to  be  false;  and  delivers  a  boolean  don’t 
care  (bool)  if  the  y**  bit  mi  is  defined  to  be  irrelevant.  If  the  boolean  equivalent  of  o  is  a 
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set  of  n  boolean  values  i?i  to  R„,  then  for  j  =  1  to  n\- 


Rj  CASE  a  OF 

m,  :  REP{mi,j), 

m*  :  REP(mk,j) 

ESAC 

There  is  however  one  difference  between  this  effective  CASE  statement  and  the  normal 
NODENJIDL  CASE  described  in  section  5.4,  whenever  the  selector  a  is  irrelevant,  the 
result  is  also  irrelevant  (and  not  undefined). 

For  example,  if  a  type  is  defined  to  have  three  states  mapped  onto  two  booleans  as  foUows:- 
TYPE  control  =  HEW  [2] bool  (reset  =  #lx  I  load  =  #00  I  inc  =  #01) 

Then  the  two  boolean  values  equivalent  to  a  value  a  of  the  type  control  are;- 

Rl  <=  [Va  preset  J  ^a—load  ^  ^^=ine»  Xa,  U,] 

*  R2  ^  [fa=mc»  ^a=ioadi  ^a=re»et 


5.7  Mapping  booleans  to  enumeration  types 

There  is  a  mapping  corresponding  to  the  inverse  of  the  above,  mapping  an  array  of  booleans 
onto  an  enumeration  type.  This  is  effectively  defined  as  a  conditional  statement  of  the 
form:- 


IF  ami  THEH  ml 
ELIF  •m2  THEH  n2 

ELIF  ank  THEH  nk 
FI 

Where  each  of  the  k  expressions  eroi  is  a  series  of  AND  operations  applied  between 
members  of  the  array  of  booleans  Ri  to  Rn-  For  a  result  equal  to  m,;  if  REP(mi,j) 
delivers  t,  then  the  value  Rj  is  present  in  the  expression  cm*;  if  REP{mi,j)  delivers  /, 
then  the  inverse  of  Rj  is  present  in  em,  and  if  REP{m,,j)  delivers  bool,  then  Rj  is  not 
present  in  em,.  That  is  for  the  previous  example,  if  rl  and  r2  are  the  pair  of  boolean  values 
to  be  mapped  onto  an  enumeration  type  control,  the  mapping  function  is  equivalent  to:- 

IF  rl  THEH  rasat 

ELIF  (HOT  rl)  AHD  (HOT  r2)  THEH  load 
ELIF  (HOT  rl)  AHD  r2  THEH  inc 

FI 

or 

[r^,,  Ffl,  hFr,,  Ffl.  nT/i,,  0,  u  Iffl,  u  (Ffl,  n  u  dij,))] 


16 


Note  that  this  function  is  not  strictly  the  converse  of  the  enumeration  to  boolean  function 
described  in  the  previous  section,  as  the  don’t  care  enumeration  type  maps  onto  an  array 
of  don’t  care  booleans,  but  any  boolean  being  don’t  care  maps  onto  the  enumeration  type 
undefined. 

6  Numeric  analyser  operations 

0.1  Representation  of  values 

NODEN  is  concerned  with  two  classes  of  numeric  values;  constrained  integers  with  a  de¬ 
fined  range  {Iwb  to  upb),  and  tmconstrained  integers  which  in  principle  can  have  any  value 
from  zero  to  infinity.  It  should  be  noted  that  all  numeric  vcdues  are  strictly  non-negative 
and  both  constrained  and  unconstrained  integers  have  the  same  representation. 

Numeric  inputs  and  outputs  of  a  block  are  always  constrained  integers,  because  these  must 
be  represented  in  the  physical  implementation  by  a  finite  set  of  signals,  and  so  must  have  a 
finite  number  of  states.  Inside  a  block,  all  operations  are  performed  on  unconstrained  inte¬ 
gers.  If  not,  each  numeric  type  would  require  its  own  set  of  arithmetic  operators,  and  the 
expected  type  of  an  arithmetic  operation  would  quickly  become  ambiguous  in  a  descrip¬ 
tion  with  several  numeric  types.  As  input  and  output  numerics  are  always  constrained  but 
aU  operators  act  on  tmconstrained  values,  it  would  be  expected  that  mapping  functions 
are  required  to  turn  constrained  integers  into  tmconstrained,  and  vice  versa.  These  are 
described  in  section  6.6. 

As  all  unconstrained  integers  are  always  derived  by  arithmetic  operations  from  constrained 
integers  or  constants,  they  in  fact  always  have  a  known  finite  range.  Therefore  any  integer 
a  has  a  maximum  value  mazval,.  If  is  the  number  of  bits  needed  to  represent  maxval^ 
in  binary  form  (ie  tia  =  T logi{mazval  +  1)),*®  then  a  numeric  representation  consists 
of  2  X  Ha  expressions  defining  when  the  n,  bits  of  the  binary  representation  are  in  their 
true  and  false  states  and  BITa=f,,  for  t  =  1  to  Ua).  Like  non-numeric  values, 

numerics  may  also  be  defined  to  be  irrelevant  (don’t  care  or  Afa)  or  may  be  undefined  (C  o). 
So  an  integer  a  with  a  maximum  value  of  2  (or  3)  is  represented  as  two  bits,  don’t  care 
and  undefined:- 


IBIT.=,„  BITa=f,,  BIT.=,„  BITa=f„  C^.] 

Each  bit  BITa=t,  and  BITa=f,,  together  with  and  IC,,  effectively  forms  a  boolean  value. 
So  it  must  be  the  case  that,  for  t  =  1  to  n^;- 

BJTa-t,  n  BITa^f,  =  0  and  BITa=t,  n  ACa  =  0  and  BITa=t,  nUa  =  0  and 
BITa=f,  n  Alo  =  0  and  BITa^f,  n  I'a  =  0  and  A’o  n  =  0 

also 


'Note  that  To  is  the  first  integer  greater  than  or  equal  to  o 

'The  integer  literal  0  is  treated  as  a  special  case,  with  no  =  1  rather  than  0 
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BITa=u  u  u  A'a  u  =  1 


These  properties  can  be  used  to  check  the  operation  of  the  analyser,  in  the  same  way  the 
use  of  the  equivalent  properties  for  non-numerics  can  be  used,  as  described  in  section  4. 
In  addition,  for  any  pair  of  bits  t  and  j:- 

U  Bf r,=/.  =  u  BIT^^f, 

Literal  numeric  values  are  therefore  represented  by  a  binary  value,  with  any  non- significant 
leading  O’s  removed.  Hence  4  is  represented  as  (0,1,  0,1,  1,0,  0,  0],  All  numeric  values 
are  represented  with  at  least  one  bit,  so  the  don’t  care  numeric  value  is;-  [0,0,  1,  0]. 

6.2  Input  values 

If  i'  is  a  numeric  input  to  a  block,  with  a  range  0  to  up6,  then  the  analyser  will  represent 
thi«  as  a  set  of  n  bits,  where  n  =  T/o5j(up6-l  1).  If  upb  =  2”  -  1,  then  the  mapping 
between  these  bits  and  v  is  obvious.  For  example  if  upb  —  7,  then  v  is  mapped  onto  a  set 
of  three  bits  (say  a,  6,  c),  such  that  t>  is  represented  as:- 

[o,  a,  4,  4,  c,  c,  0,  0] 

If  upb  ft  2"  -  1,  then  the  first  upb  -  1  states  of  v  will  be  mapped  onto  the  equivalent  states 
of  the  bits,  whilst  the  final  state  of  v  will  map  onto  the  remaining  states  of  the  bits.  So  if 
upb  =  5,  then  this  value  will  also  be  represented  by  three  bits,  such  that:- 


0  =  a  •  5  •  c  and  1  =  a  •  5  ■  c  etc  to  4  =  a  •  4  -  c  and  b  =  a-  b-  c  +  a-  b-  c  +  a  -  b^  c 


Hence  the  value  of  v  is  represented  as;- 
[a  -f  4  •  c,  a  •  e  +  a  •  4,  4  •  e,  4  c,  c,  c,  0,  0] 

If  the  range  of  v  is  not  0  to  upb,  but  Iwb  to  upb,  then  the  input  value  is  derived  by  making 
a  value  for  an  input  in  the  range  0  to  upb  -  Iwb  as  described  above,  and  adding  a  literal 
value  Iwb  to  it  (see  section  6.3).  So  the  value  of  an  input  with  a  range  1  to  6  (mapped 
onto  three  bits)  would  be:- 

[a-c-(-a-4,  a-f6-c,  a-4-l-a-4-(-a-c,  a-4-fo-4-c,  c-ta  - 4,  a-c-f4-c,  0,  0] 

6.S  The  addition  operation 

To  find  the  sum  of  two  numeric  values,  o  and  4,  a  binary  ripple  add  algorithm  is  used  This 
algorithm  assumes  that  both  numeric  values  have  the  same  number  of  sigiuficant  bits  n.  If 
this  is  not  the  case,  the  missing  bits  of  the  shorter  value  are  constructed  to  be  never  true 
and  false  whenever  any  one  of  the  defined  bits  (say  bit  1)  is  either  true  or  false.  Note  that 
these  constructed  bits  are  not  always  false,  as  the  union  of  the  conditions  tmder  which  they 
are  true,  false,  don’t  care  and  undefined  must  be  1,  and  none  of  these  four  conditions  may 
overlap.  So  if  a  has  fewer  bits  than  4,  each  missing  bit  j  is  constructed  as;-  BITa^t,  0 
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and  BITa=/^  <=  u  BIT^-f^ 

Each  bit  of  the  result,  r,  is  constructed  as  the  sum  of  the  corresponding  bits  from  a  and 
6  and  a  ripple  carry  from  the  previous  bit.  The  carry  out  from  each  bit  is  also  evaluated. 
That  is  for  i  =  1  to  n:- 


BITr=,,  <=  (BITa=t,  n  BITt,=,,  n  CARRY, )  U  (BIT^^,,  n  BITt^i,  n  CARRY, )  U 
(BJTa^,^  n  n  CARRY, )  u  (BITa=,,  n  BIT^:^,,  n  CARRY, ) 

BITr=,,  -!=  (BITa^,,  n  Bin^,,  nCARRY,,^,)  u  (B/r„=,,  n  n  CARRY,,,, )u 

[BITa^t,  n  BITt^,,  n  CARRY,,,, )  U  (BIT.^,,  n  BlTt^,,  n  CARRY,,,, ) 

CARRY,,  <=  iBlTa=,,  n  BITt=,,  n  CARRY,,,, )  u  (BJT„=,,  n  CARRY,,,, )  U 
(BITt=,,  n  CARRY,,,, ) 

CARRY,,  <=  {BIT„=,,  n  CARRY,,,, )  u  (BIT^^,,  n  CARRY,,,, )  u 
(BIT„^,,  n  BITt=,,  n  CARRY,,,, ) 

where  CARRY, „  =  0  and  CARRY,,  =  (BIT„^,,  U  BIT,^,, )  n  (B/Ts=„  U  BIT^^,, ) 

Note  that  CARRY,,  yS  1,  as  this  may  lead  to  sets  of  expressions  that  violate  the  rules 
already  expressed  for  the  union  and  intersection  of  bits  of  a  value,  but  is  false  only  under 
those  conditions  for  which  a  and  b  both  have  defined  values. 

If  the  carry  out  from  the  n‘*  bit  can  ever  be  true  (CARRY,,  ^  0),  then  the  result  has  one 
more  significant  bit  than  the  operands,  such  that:- 

BlTrs,,^,  <=  CARRY,,  and  BIT,-,,^,  <=  CARRY,, 

The  result  can  never  be  irrelevant  (X,  <=  0)  and  is  undefined  whenever  either  of  the 
operands  is  undefined  or  don’t  care:- 

l/,  <=  X.  u  {/.  u  Xb  u  t/b 


6.4  Subtraction  and  comparison  operators 
6.4.1  General  difference  operator 

The  difference  between  two  numeric  values  a  and  b  is  found  in  a  similar  maimer  to  the 
above  addition  operator.  However,  it  is  used  for  two  distinct  purposes,  firstly  to  evaluate 
0—6,  and  secondly  to  compare  two  numeric  values  as  in  a  >  6.  for  this  reason,  the  gen¬ 
eral  difference  algorithm  will  be  described  first,  and  then  the  following  two  sections  will 
consider  its  use. 

The  difference  algorithm  used  is  the  well  known  method  of  adding  the  inverse  of  the  sec¬ 
ond  operand  to  the  first  operand,  with  the  carry  into  the  first  bit  equal  to  1.  In  order 
to  distinguish  between  the  sum  and  difference  idgorithms,  the  difference  operator  will  be 
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described  as  delivering  n  DIFF  values  (rather  than  BIT’s)  and  the  carry  expressions  will 
be  replaced  by  their  inverse,  BORROW.  As  with  addition,  n  is  the  number  of  significant 
bits  in  the  longer  of  the  operands,  and  the  shorter  operand  is  padded  to  the  same  length 
with  values  calculated  in  the  same  manner. 

The  difference  operator  is  evaluated  as,  for  «  =  1  to  n:- 

DIFFt,  <=  (BIT^=i,nBm=t,nBORROWt,_,)  u  u 

{BIT^^f^nBlTtJi,  n BORROW, u  (BIT^=,,n BITt^,,  nBOBROW,,_j 

DIFF,^  ^  {B/T,=,.nB/rt=(.nBORROW,..,)  u  (B/Ta=,,  nB/Ts=,.  nBORROW,.., )  u 
(BIT^=,[nBITiJ,n BORROW, u  (BIT^=,_nBin^,,nBORROW,__,) 

BORROW,^  <=  (BIT^^t,  n  BITt=,,  n  BORROW, )  U  (BIT.^,,  n  BORROW,,^, )  U 
(BITt=,,nBORROW,^_,) 

BORROW,,  c=  (B/r„=y.  n  BORROW,,.,)  u  (BITi=,,  n  BORROW,,., )  u 
(BIT„J,,  n  B/T6=,,  n  BORROWy,., ) 


where  BORROW,,  =  0  and  BORROW,^  =  {BITa=,,  U  BITa=f, )  n  (B/Ts^,,  U  B/Tt^y. ) 

6.4.2  The  subtraction  operator 

Evaluating  a  -  6  is  rather  different  to  evaluating  the  sum  of  two  values,  as  this  is  the  first 
operation  discussed  which  has  an  exception  condition.  As  all  NODEN  numeric  values  are 
defined  to  be  strictly  non-negative,  if  a  can  ever  be  less  than  6,  there  is  a  set  of  results 
which  cannot  be  represented  by  a  numeric  value.  This  will  normally  lead  to  the  ansdyser 
reporting  an  error  (as  will  be  described  later).  In  any  event,  the  result  of  the  subtraction 
is  undefined  for  negative  values  (ie  when  BORROW,,  ^  0).  Conversely,  the  general  differ¬ 
ence  operator  delivers  the  correct  values  for  the  result  bits  under  the  conditions  indicated 
by  BORROW,^. 

Hence,  if  r  =  a  -  6,  then  the  BIT  values  of  r  are,  for  i  =  1  to  n:- 

B/r,=,.  <=  BORROW,„nDIFF,,  and  B/r,=y,  <=  BORROW,,,  n  DIFF,, 

The  result  is  never  irrelevant  {Xr  «  0)  and  is  undefined  whenever  u  or  6  are  undefined  or 
irrelevant,  or  when  the  result  would  be  negative:- 

Ur  <=  X„  u  Ua  u  X^  u  Ui  u  BORROW,^ 

It  was  said  earlier  that  if  the  result  of  a  subtraction  can  ever  be  negative  then  usually 
an  error  is  reported.  Precisely  what  happens  depends  upon  where  in  the  source  text  the 
subtraction  being  eveduated  occurred.  If  a  is  of  a  numeric  type  with  lower  bound  0,  and 
the  NODEN  JIDL  source  conteuns  the  statement:- 

LET  a.ninus.l  ■  a  -  1. 
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An  error  will  be  reported  by  the  analyser  to  the  effect  that  analysis  of  the  current  block 
has  failed  whilst  evaluating  a  subtraction  on  a  particular  line  of  the  source  text,  under  the 
condition  for  which  a  =  0.  However,  if  the  subtraction  is  in  a  conditional  statement,  as 
in:- 

LET  a.limit  »  IF  a««0  THE!  0  ELSE  a  -  1  FI. 

then  no  error  will  be  reported.  This  is  because  the  analyser  evaluates  an  expression  which 
indicates  the  conditions  under  which  the  result  limb  of  a  conditional  statement  will  be  de¬ 
livered.  If  the  result  limb  can  raise  an  exception,  it  checks  whether  the  exceptional  result 
could  ever  occur  before  indicating  an  error.  Hence  in  the  above  example,  the  subtraction 
is  performed  under  the  conditions  when  a  ^  0,  so  the  exception  when  a  =  0  can  never  be 
raised,  hence  no  error  is  reported. 

There  are  a  set  of  unusual  circumstances  that  may  lead  to  an  error  not  being  reported 
immediately.  If  the  source  text  contains  a  statement  such  as;- 

LET  a.dec  -  IF  a  /=  0  TEES  a  -  1  ELSE  a  -  1  FI . 

no  error  is  reported  because  the  analyser  recognises  that  a  -  1  need  only  be  evaluated 
once.  As  the  first  occurrence  is  under  the  circumstances  when  o  /  0,  no  error  is  reported. 
However  this  does  not  lead  to  an  erroneous  result  as  any  output  from  the  block  that  uses 

а. dec  will  be  shown  as  being  undefined  when  a  =  0.  This  wiU  lead  to  an  error  being 
reported  if  the  source  text  is  a  specification  (as  all  specification  outputs  must  be  defined 
for  all  input  values),  or  if  the  description  is  an  implementation,  a  mismatch  will  be  reported 
when  the  implementation  is  compared  with  the  specification. 

б. 4.3  Comparison  operators 

NODEN  supports  six  relational  operations  between  numeric  values  (>,  >  =  ,  <,  <  =  ,  =  = 
and  /  =).  The  two  principle  operations  are  <  and  =  =  .  Both  are  evaluated  using  the 
difference  operation  previously  described,  a  <  6  is  true  whenever  a  -  6  is  negative  (ie  in 
the  conditions  indicated  by  false  when  a  -  6  is  positive  (ie  in  the  condi¬ 

tions  indicated  by  BORROWf^),  never  irrelevant  and  undefined  whenever  either  of  the 
operands  are  irrelevsint  or  undefined.  That  is:- 

a  <  6  <=  [BORROW, BORROW/^,  0,  A.  u  I/,  u  As  U  t/s) 

a  and  6  are  equal  whenever  all  the  DIFF  bits  are  false.  Hence  the  equality  operator  is 
defined  as:- 

a  ==  6  <=  [fl  DIFFf,,  (J  DIFF,,,  0,  Aa  u  U,  u  As  u  f  's] 

i=l  *=1 

The  other  comparisons  are  then  constructed  as:- 

a  /■  b  !•  aqulvalant  to  IDT  (a  «■  b) 

a  <B  b  is  aqulvalant  to  (a  <  b)  OR  (a  »  bl 

a  >  b  it  aqulvalant  to  >0T((a  <  b)  OR  (a  »  b)) 

a  >°  b  it  aqulvalant  to  lOT  (a  <  b) 


6.5  Conditional  statements 
6.6.1  Non- numeric  selector 

Numerics  may  occur  ii\  CASE  statements  in  three  ways;  as  the  result  of  a  CASE  with  a 
non-numeric  selector,  or  in  a  CASE  statement  with  a  numeric  selector  and  either  a  numeric 
or  non-numeric  result. 

The  behaviour  of  a  CASE  statements  with  a  non-numeric  selector  and  result  has  been  de¬ 
scribed  in  section  5.4.  The  behaviour  of  the  CASE  statement  with  a  non-numeric  selector 
and  a  numeric  result  is  very  similar.  So  for  a  selector  a  of  a  type  with  k  members  (mj  to 
ms)  and  result  expressions  E\  to  Ei,  that  are  numerics  with  n  significant  bits,^  then  the 
bits  of  the  numeric  result  r  are,  for  i  =  I  to  n;- 

k 

BIT,.,.  <=  U  ’■<■="•,  BITe,.,. 

k 

BIT,-f^  <=  (J  n  B1Tej=/, 

also;-  • 


k 

A*f  =  TC Ej 

;=1 

k 

If  A'aUtotJ  1  a.m,  f  E, 

>=t 


6.5.2  Numeric  selector 

If  the  selector  a  is  a  numeric  value  with  n  significant  digits,  then  the  basic  form  of  the 
CASE  statement  is:- 


CiSE  a  OF 

1:  .1, 

3:  *3, 

4;  *4 

ELSE  other 
ESAC 

The  CASE  statement  can  be  regarded  as  an  operator  acting  on  a  and  2"  result  expressions, 
Eo  to  such  that  when  a  has  the  value  0,  Eo  is  delivered  etc.  As  in  the  non-numeric 

CASE  selector,  any  missing  expressions  are  replaced  by  £„is„.  and  if  Eou,,,  is  not  defined 
an  undefined  value  of  the  appropriate  type  is  delivered.  It  should  he  noted  that  any  selec¬ 
tor  i,  where  t  >  2„  -  1  can  never  be  selected,  and  takes  no  part  in  the  result. 


^where  n  if  the  length  of  the  result  limb  with  the  moft  ligniilcuit  digits.  Any  shorter  numeric  result 
limbs  are  padded  to  the  same  length  as  described  in  section  6.3 
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For  i  <  =  2n  -  1.  a  selection  value  Va=,  is  defined  as  the  set  of  conditions  for  which  a  has 
the  value  i.  That  is:- 


T 

I 
I 

t 

) 

k 

! 

I 

4  v;..  ^ 

J=1 

>  where  BITa=?j  ~  BITa=tj  if  bit  j  of  *  is  true,  or  BITa=:fj  if  bit  j  of  i  is  false  (Isb  =  1). 

w  This  is  the  value  that  is  used  to  test  if  exceptions  are  to  be  reported. 

^  So  for  a  non-numeric  result,  with  /  members:- 

.  2"-l 

for  j  =  I  to  /;  Vr  =  m,  <=  U  n 

»=0 

•  2^-1 

A%  <=  IJ  Va=t  ^  ATr, 

*=0 

^  I**-! 

Vr  <=  A'a  u  Va  !-■  (J  Ta_,  H 

tsO 

and  for  a  numeric  result,  with  m  significant  digits:- 

2**-l 

forj  =  Itom;  BITr=t^  <=  (J 

isO 

2«-l 

=  ^  U  = 

tsO 

2’'-l 

Xr  <=  U  v;=,  n  A'e, 

«=o 

2"_1 

Ur  <=  Xa  U  Va  U  (J  O 


6.6  Mapping  between  constrained  and  unconstrained  integers 

In  NODEN  HDL,  mapping  functions  can  be  defined  to  convert  a  constrained  numeric 
f  value  into  the  equivalent  unconstrained  value,  and  vice  versa.  The  first  of  these  is  used 

solely  by  the  NODEN -HDL  compiler  to  get  its  type  model  correct  and  has  no  effect  on  the 
value  as  represented  in  the  analyser.  On  the  other  hand,  mapping  from  a  value  which  is 
of  the  unconstrained  numeric  type  to  the  equivalent  value  in  a  constrained  numeric  type, 
does  involve  some  evaluation  by  the  analyser,  as  there  is  the  possibility  of  an  exception  be¬ 
ing  raised  if  the  value  being  converted  can  ever  lie  outside  the  range  of  the  constrained  type. 

If  FI  is  a  function  defined  to  map  between  unconstrained  numeric  values  and  values  of  a 
type  in  the  range  Iwb  to  up6,  then  the  NODEN JIDL  statement:- 

,  LET  r  •  FI  a. 


is  effectively  evaluated  as;- 


•1 
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LET  temp  =  IF  e  >=  Ivb  THES  a  FI. 

LET  r  «  IF  a  <=  upb  THE8  temp  FI . 

The  effect  of  the  above  is  to  make  the  result  imdefined  for  all  values  of  a  that  lie  outside 
the  expected  range  of  the  result  (ie  a  <  Iwb  or  a  >  uph).  As  with  subtraction,  a  ever  being 
outside  the  expected  range  is  regarded  as  an  exceptional  condition,  and  will  normally  lead 
to  an  error  being  reported  (unless  the  exception  is  raised  inside  a  conditional  that  prevents 
it). 


6.7  Mapping  between  integers  and  booleans 

NODEN-HDL  defines  a  set  of  functions  V AL„  and  WORDn  that  map  from  an  array  of 
n  booleans  to  an  unconstrained  integer,  and  from  an  unconstrained  integer  to  an  array  of 
n  booleans  respectively. 

If  r  =  V AL„  a,  where  a  is  an  array  of  n  booleans  (with  members  a[l]  to  a[n])  and  r  is  an 
unconstrained  integer,  then  r  is  undefined  when  any  member  of  a  is  either  irrelevant  or 
undefined.  That  is,  if  Eugal  represents  the  set  of  conditions  for  which  r  is  properly  defined, 
then  for  t  =  1  to  n;- 

ElTr  =  t,  ^  Eiigal  ^  ^ah]  ^tld  <=  Eugal  .^0(1] 


also 


Xr  <=  0 

n 

l\  <=  y  U  J/a[il 

t=l 

where 


1=1 

If  r  =  WORD„  a,  where  a  is  an  unconstrained  integer  (with  m  significant  bits)  and  r  is 
an  array  of  n  booleans  (with  members  r[l]  to  r[n]),  then  if  n  >=  m  then  the  function  is 
unexceptional  and  the  n  booleans  are  evaluated  as,  for  t  =  1  to  n;- 

r[.]  <=  [S/r.=,,,  Xo,  Va] 

As  in  addition  and  subtraction,  if  n  is  greater  than  m,  any  ‘missing’  bits  are  constructed 
to  be  never  true,  and  false  under  the  condition  under  which  the  other  bit  pairs  are  defined 
(ie  u  ). 

If  m  is  greater  than  n,  then  the  value  of  a  can  be  greater  than  the  maximum  value  that 
can  be  represented  by  n  bits  under  all  circumsttmces  for  which  tmy  of  the  bits  of  a  greater 
than  n  are  true.  The  values  of  r  are  therefore  constructed  to  be  undefined  under  these 
circumstances.  So  for  i  =  1  to  n:- 
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[B/r„=,,  n  fl  f|  BTn=,,,  Xa,  C'.u  (J 

j=n+l  j=n+l  j=n+l 

Should  there  be  any  values  of  a  that  cannot  be  represented  in  n  bits  an  exception  will  be 
raised  (as  previously  described).  This  is  frequently  met  when  modelling  n  bit  counters.  If 
count  is  the  state  of  a  four  bit  counter,  its  next  state  can  legally  be  defined  as:- 

LET  next.state  «  IF  (VAL4  count)  IS 
THEH  W0R04  0 

ELSE  W0RD4((ViL4  count)  +  1) 

FI. 

whilst 

LET  n«xt. state  =  W0RD4((ViL4  count)  +  1). 
would  be  lead  to  the  analysis  failing  and  an  exception  being  raised. 

7  Data  representation  and  processing 

The  usefulness  of  the  NODEN  analyser  depends  upon  the  complexity  of  descriptions  that 
it  can  cmalyse  (given  finite  machine  resources)  and  the  time  taken  to  perform  that  analy¬ 
sis.  These  properties  in  turn  depend  upon  the  representations  used  to  store  the  expression 
data,  and  the  algorithms  used  to  manipulate  them.  As  will  be  shown  there  is  a  trade-off 
between  representations  that  efficiently  use  memory  but  which  are  slow  to  process,  and 
those  that  are  fast  but  occupy  more  space.  Three  analysers  have  been  written,  two  using  a 
disjunctive  normal  form  representation  and  the  other  using  a  modified  Shannon  form.  The 
performance  of  these  analysers  on  a  practical  application  will  be  discussed  in  section  8. 
The  following  sections  will  discuss  the  representations  that  have  been  used  in  the  analysers, 
and  the  Shaimon  factorised  form  representation  (on  which  the  modified  Shannon  form  was 
based). 


7.1  Disjunctive  Normal  Form 

Each  expression  in  this  representation  is  written  as  a  list  of  terms,  where  each  term  is  the 
intersection  of  a  number  of  vsuiables  (or  their  inverse).  That  is,  each  term  represents  a  set 
of  states  from  the  input  space  and  the  expression  is  the  union  of  these  sets.  For  example, 
the  expression  ;-  a  +  6-c  consists  of  the  union  of  two  terms,  one  covering  all  states  in  the  in¬ 
put  space  for  which  a  is  true,  and  the  other  covering  all  states  for  which  b  is  false  and  c  true. 

For  an  expression  of  n  boolean  variables,  each  term  tan  be  represented  by  a  pair  of  boolean 
sets  Ai  and  5^  (i  =  1  to  n).  A,  =  0  means  that  variable  i  has  no  effect  on  the  term,  whilst 
Ai  =  1,  5i  =  0  means  that  the  inverse  of  variable  i  is  part  of  the  term,  and  A,  =  1,  5,  =  1 
means  that  variable  i  is  part  of  the  term.  The  two  terms  in  the  above  expression  would 
therefore  be  represented  as  a  ^  A(1,0,0), S(1,0,0)  and  6-c  =>  A(0, 1, 1), S(0, 0, 1).  That 
is  A  is  an  Activity  mask  and  5  indicates  the  Sense  of  active  bits. 


jL 
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The  two  expression  operations  used  by  the  NODEN  analyser  are  union  and  intersection. 
The  union  of  two  disjunctive  normal  form  expressions  can  be  found  by  concatenating  the 
two  lists  of  terms  that  form  the  two  expressions,  to  form  a  single  list  representing  the  result. 
For  intersection  the  following  algorithm  is  used.  Each  term  from  the  expression  E'  (rep¬ 
resented  by  j4  , 5  )  is  compared  with  each  term  from  the  second  expression  E"  (a!' ,  S"). 
That  is,  if  E  has  t  terms  and  E  has  t  terms,  there  are  potentially  <'  x  t  terms  in  the 
result.  For  each  pair  of  terms  under  consideration,  a  term  will  be  added  to  the  result  if 
any  active  variables  in  common  between  the  terms  are  in  the  same  sense.  For  example, 
a •  6 n 5 •  c  will  not  add  anything  to  the  result,  whilst  a •  5 n 5 ■  c  wiU  add  a  term  a-b-c.  That 
is  a  pair  of  terms  will  add  to  the  result  if  for  t  =  1  fo  n  =>  a[  A  A"  A  (5,'  /  S")  =  0.  ®  If 
required,  the  term  to  be  added  to  the  result  (^4’',  5')  is  A'  •«=  A'  V  A"  ,  S'  ^  A'  A  {S'  V  S"). 

Unfortunately  this  representation  is  not  canonical,  and  it  can  easily  be  seen  how  the 
algorithms  described  above  could  lead  to  multiple  copies  of  the  same  term  appearing  in 
the  representation  of  an  expression.  Whilst  this  would  not  affect  the  correctness  of  the 
result,  it  would  cause  the  representation  to  be  wasteful  of  memory,  and  more  importantly 
as  the  time  to  perform  the  intersection  operation  is  proportional  to  the  product  of  the 
number  of  terms  in  the  expressions,  redundant  terms  can  seriously  degrade  the  processing 
time.  This  means  that  the  algorithms  described  above  must  be  followed  by  a  simplification 
routine  to  remove  redundant  terms.  It  is  also  desirable  that  the  simplifier  should  recognise 
simplifications  such  as;-  a  -b  +  a  ■  b  =  a.  The  simplification  algorithm  is  in  three  parts;- 

1.  If  all  the  active  variables  in  one  term  are  also  active  in  the  corresponding  sense  in  a 
second  term,  then  the  second  term  is  either  the  same  or  more  specific  than  the  first 
and  so  can  be  eliminated.  For  example;-  a-S-t-a-csa-f  and  a-J-t-o-b-?  =  a-c. 

2.  If  the  same  variables  are  active  in  two  terms  and  all  but  one  of  these  variables  is 
in  the  corresponding  sense,  then  the  pair  of  terms  can  be  replaced  by  a  single  term 
with  the  ‘mismatched’  variable  eliminated.  For  example;-  a-b-c  +  a-  b-  c  =  0'C. 

3.  If  the  variables  which  are  active  in  common  between  two  terms  are  in  corresponding 
senses,  and  if  one  term  has  a  single  additional  variable  active,  then  the  second  term 
can  be  made  more  specific  by  including  the  inverse  of  the  additional  variable  in  the 
first  term.  For  example;-  a-b-c  +  a-  b-  d-  e  =  a-b-c  +  a-  b-  g-  d'e.  This  helps 
eliminate  terms  which  are  included  in  the  union  of  several  other  terms.  For  example:- 
&-b  +  b-  c  +  a-  c  =  d-  b+  a-  b-  c  +  a-  c  =  d-  b  +  a-c. 

The  advantage  of  this  representation  is  that  the  boolean  sets  A  and  5  for  each  term  can 
be  represented  efficiently  by  packing  32-bits  into  each  32-bit  machine  word  and  then  using 
word-wide  AND  and  OR  operations  to  evaluate  the  intersection  operation.  However,  the 
simplification  process  described  above  requires  the  behaviour  of  individual  bits  of  the  sets 
A  and  5  to  be  examined  and  manipulated,  and  this  is  not  such  an  efficient  process.  As 
will  be  seen  in  section  8  the  analyser  built  using  this  representation  uses  very  little  data 
space,  but  takes  a  considerable  time  to  evaluate  complex  fimctions. 

'Note  that  the  opetatoi  A  it  AND  (oc  intersection)  between  boolean  values  (or  sets  of  boolean  values) 
and  V  is  OR  (or  union) 


Although  the  above  simplification  algorithm  will  remove  most  redundant  terms,  it  is  not 
perfect  and  an  expression  such  as:-  d-c  +  b-  c  +  a-  b  +  a-  b-  c  +  a’b-c  will  be  regarded 
as  irreducable,  even  though  it  is  identically  true.  This  problem  becomes  more  probable 
as  the  number  of  variables  increases,  and  is  of  particular  significance  if  the  test  that  ‘the 
union  of  all  expressions  which  define  a  result  should  be  true’  is  performed.  This  leads  to 
the  need  for  a  further  algorithm  to  prove  that  an  expression  such  as  the  above  is  indeed 
true.  This  is  done  by  constructing  two  expressions;  one  including  all  the  terms  from  the 
original  in  which  a  selected  variable  is  true  or  absent  (that  variable  being  eliminated  from 
tdl  the  terms),  and  the  other  including  those  terms  in  which  the  selected  variable  is  false  or 
absent.  These  two  expressions  should  then  themselves  be  universally  true,  if  the  original 
was  universally  true.  If  the  simplification  algorithm  already  described  cannot  reduce  these 
expressions  to  true,  then  they  can  themselves  be  split  into  two  expressions  by  selecting 
a  second  variable.  If  this  process  is  repeated  for  all  variables,  and  there  are  still  some 
expressions  which  are  not  true,  then  the  original  was  not  true.  In  the  above  example,  if  a 
is  selected  as  the  first  variable  to  be  eliminated,  then  this  leads  to  two  expressions:- 
a  true  or  absent  =>  J.c-f6-(-6.c  ^  1  and  a  false  or  absent  =>  c b  •  c -t- 6  •  c  =?  1 

A  second  disadvantage  is  that  all  the  variables  described  so  far  have  been  boolean,  whereas 
NODEN  needs  to  process  multi-valued  logic  variables.  In  order  to  reason  about  such  non- 
boolean  values  a  mapping  is  needed  between  the  actual  variable  and  a  set  of  booleans. 
For  a  variable  with  m  possible  states,  this  can  be  mapped  onto  a  set  of  s  booleans,  where 
s  =  T  Jog2  m.  These  can  be  regarded  as  representing  states  0  to  2'  -  1.  The  first  m  -  1 
states  of  the  variable  are  mapped  onto  states  0  to  m  -  1  of  the  booleans,  whilst  the  final 
state  can  be  mapped  onto  states  m  to  2'  -  1.  So  for  a  variable  of  six  states,  this  could 
be  mapped  onto  a  set  of  three  booleans  (Q,b,c).  The  first  five  states  being  represented  as; 
a  -  I-  e,  a  -  6  -  c,  a  -  b'  e,  a  ■  b  -  c  and  a-6-e;  whilst  the  final  state  is  a  ■  b  +  a  ■  b  •  c. 

7.2  Shannon  factorised  form 

Shannon  factorised  form  [Bryant  86]  regards  the  variables  upon  which  an  expression  de¬ 
pends  as  having  a  fixed  order.  It  then  describes  an  expression  of  n  boolean  variables  as  a 
pair  of  expressions  (each  of  n  -  1  variables)  with  the  first  variable  factored  out.  That  is 
if  expression  E  depends  upon  a,  b  and  c  (in  that  order),  then  E  is  expressed  as  \Ea  £a].® 
Where  Ea  represents  the  expression  E  with  o  factored  out,  and  Ea  represents  the  expres¬ 
sion  E  with  d  factored  out.  Ea  and  Eg  are  themselves  represented  as  a  pair  of  expressions 
with  6  and  6  factored  out,  and  the  resulting  four  expressions  (which  depend  solely  on  c  are 
also  factored  into  pairs  of  expressions,  which  are  either  universally  true  (1)  or  false  (0). 
It  should  be  noted  that  for  any  expression  there  is  only  one  possible  Shannon  factorised 
form  representation,  ie  the  representation  is  canonicttl. 

For  example,  the  expression  that  is  represented  in  disjunctive  normal  form  as  a  -)-  6  •  c,  is 
first  factorised  to  remove  o  and  d,  [1,  b  ■  c).  These  two  expressions  are  then  factorised  to 
remove  b  and  b,  leading  to  the  expression  pairs  [1,1]  and  [0,  cj.  These  are  further  factorised 
to  remove  c  and  d  to  give  the  Shannon  factorised  form:-  [[[1, 1],  [1, 1]],  [[0, ''],  [l,  0]]].  This 
might  more  easily  be  thought  of  as  a  tree  as  shown  in  Figure  1. 

'Thst  u  £  =  a  +  S  ■  Ft 
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Figure  1:  A  Shannon  factorised  form  ‘tree’ 


This  representation  has  a  number  of  desirable  properties.  If  E'  and  B"  are  two  expressions 
in  Sharmon  factorised  form,  with  values  [E^,,  B^]  and  B^]  respectively,  then  it  is  quite 
simple  to  show  that  E'  nE"  =  [E'^dE'^,  EtrtB'i].  Similarly  E'  uE"  =  [El,U  B'^^E'^u  E'^]. 
The  operators  n  and  U  applied  to  the  ‘leaf’  values  0  and  1  have  the  expected  results.  This 
means  that  the  union  or  intersection  of  two  Shannon  form  expressions  of  n  variables  is 
always  found  by  2"^'  -  1  simple  operations,  and  that  the  result  is  always  in  a  canonical 
form.  Hence,  unlike  the  disjunctive  normal  form  representation,  no  simplification  stage 
is  required  and  the  universal  truth  of  an  expression  is  easily  determined.  Therefore  this 
representation  can  potentially  be  processed  very  quickly.'® 

There  are  however  a  number  of  disadvantages  with  this  representation.  Firstly,  as  with 
disjunctive  normal  form,  there  is  no  direct  representation  of  multi-valued  logic,  although  a 
mapping  similar  to  that  discussed  previously  can  be  implemented.  The  second  and  more 
serious  problem  is  that  each  expression  is  formed  of  a  fixed  number  of  nodes  (2"  -  1),  each 
pointing  to  two  further  nodes.  For  efficient  processing,  these  need  to  be  implemented  as 
some  form  of  pointer,  so  it  is  likely  that  each  expression  will  require  2  x  2"  -  1  words 
of  memory.  This  is  not  a  problem  if  n  is  small,  but  if  n  is  large  the  representation  may 
become  very  inefficient  in  its  use  of  memory,  particululy  if  not  all  variables  are  significant 
in  a  particular  expression.  In  one  of  the  blocks  described  in  section  8,  a  set  of  expressions 
were  evaluated  where  each  could  depend  on  upto  239  variables,  although  in  fact  no  single 
expression  actually  depended  upon  more  than  20.  What  has  therefore  been  developed  is 
a  more  memory  efficient  version  of  the  Shannon  factorised  form,  that  maintains  the  desir¬ 
able  properties  of  being  a  canonical  form  and  having  fast  union  and  intersection  evaluation 
times,  but  which  often  uses  far  less  memory. 


7.S  Modified  Shannon  form 

The  modified  Shannon  form  representation  depends  upon  the  observation  that  if  a  is  po¬ 
tentially  the  first  variable  in  an  expression  who’s  Shannon  factorised  form  is  [E^,  £al, 
then  if  the  expression  is  actually  independent  of  a,  Ea  =  Eg.  A  modified  Shannon  form 
expression  can  therefore  be  constructed  from  an  indication  of  the  first  significant  vtiriabie 
in  the  expression,  and  the  two  factored  expressions  with  that  variable  removed  (as  in  the 
Shannon  factorised  form).  That  is  if  b  is  the  first  significant  variable  in  expression  E,  then 

*“Thii  repicientstian  alio  hu  the  property  (not  used  by  NODEN)  that  the  inverse  of  E:- 

That  is  the  inverse  can  be  evaluated  by  inverting  all  the  deaf’  expressions 
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E  =  [6,  £(,,  £j]."  These  sub-expressions  are  also  in  modified  Shannon  form,  or  are  the 
‘leaf’  values  1  and  0. 

For  example,  the  expression  represented  in  disjunctive  normal  form  as  a  -I-  6  •  c,  can  be 
represented  in  modified  Shaimon  form  as:-  [a,  1,  [5,  0,  [c,  1,  0]]]  or  graphically  as:- 


If  any  expression  (i,  Ei,  £;]  in  which  Ei  =  £;  is  replaced  by  Ei,  it  can  be  shown  that  this 
representation  is  canonical. 

Given  the  expected  definitions  of  union  and  intersection  between  ‘leaf’  expressions  and 
other  expressions  (ie0uF=>£,  lu£=>  1,  0n£=>0  and  1  n  £  s-  E),  then  if  E'  and 
E  are  in  modified  Shaimon  form,  with  values  [t  ,  E~]  and  [t  ,£,,£;]  respectively, 

then  the  union  and  intersection  operations  are  defined  as  follows.  If  op  is  either  u  or  n, 
then  E'  op  E"  is:- 

if  t'  =  i"  ^  (t’,  E-  op  E",  E~  op  Ej] 
or  i'  <  i"  ^  [t',  E-  op  E",  Ej  op  E"\ 
or  %  >  i  "  =>  [i",  E'  op  E'I,  E'  op  £;”] 

It  should  be  remembered  that  the  variables  are  assumed  to  be  ordered;  so  t'  =  i"  means 
t  is  the  same  as  t  ,  t  <  i  means  i  occurs  earlier  in  the  order  of  variables  than  t  ,  and 
i  >  i  means  i  occurs  later  in  the  order  than  i  .  Essentially  if  i  =  i  ,  the  evaluation  of 
union  and  intersection  is  identical  to  Shannon  factorised  form,  but  if  one  variable  precedes 
the  other,  the  fact  that  in  Shannon  factorised  form  both  sub-expressions  of  the  ‘missing’ 
variable  would  be  the  same  is  used. 

Each  node  in  a  modified  Shannon  form  expression  occupies  three  words  of  memory.  So 
for  a  pathological  case,  such  as  a  parity  generator,  the  modified  Shannon  form  expression 
will  contain  as  many  nodes  as  the  Shannon  factorised  form,  and  so  will  occupy  50%  more 
memory.  However  in  the  vast  majority  of  practical  examples,  this  representation  is  more 
memory  efficient  than  the  factorised  form.  The  functions  needed  to  evaluate  union  smd 
intersection  are  slightly  more  complex,  but  as  the  number  of  nodes  in  an  expression  is 
probably  reduced,  the  execution  time  may  actually  be  shorter. 


"where  £  =  6  £s-tt  £:i 
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One  fuither  advsmtage  is  that  the  above  lepresentation  can  easily  be  adapted  to  directly 
represent  multi-valued  variables.  If  £  is  an  expression  whose  first  significant  variable  a 
is  a  tristate  signal  (with  state  high,  low  and  z),  then  E  can  be  represented  by  the  mod¬ 
ified  Shaimon  form  expression;-  [a,  Ea=high,  Ea=iow<  Ea=,]-  If  in  general,  £*  has  the 
first  significant  variable  u*,  which  has  n*  possible  states,  then  the  modified  Shannon  form 
expression  consists  of  and  n*  expressions  £f  (t  =  1  to  n*).  The  definitions  of  the  union 
emd  intersection  operators  given  above  can  be  extended  so  that  for  E'  and  E" ,  E'  op  E":- 


if  u' 

t! 

=  V 

V  ic  n  expressions  =  . 

E'.opE",i  = 

1  to  n 

or  V 

<  u" 

t)  &  n  expressions  = 

E^  op  E  ,  t  = 

1  to  n 

or  V 

tl 

>  V 

=> 

v"  &  n"  expressions  = 

*§ 

II 

-  1  ton 

In  all  cases,  if  aU  the  sub-expressions  are  identical,  then  the  modified  Shannon  form  ex¬ 
pression  can  be  replaced  by  one  of  the  sub-expessions,  (eg  [u,  E,  E,  E]  =  E). 

8  Practical  application  of  the  NODEN  analyser 

As  was  said  earlier,  the  usefulness  of  NODEN  depends  upon  the  site  of  circuit  it  can 
analyse  and  how  long  it  takes  to  do  so.  In  order  to  investigate  the  properties  of  the  repre¬ 
sentations  discussed  in  the  previous  section,  three  analysis  and  comparison  programs  have 
been  written  and  applied  to  the  blocks  of  the  VIPER  microprocessor.  These  results  are 
shown  in  Table  1. 

The  first  program  suite,  ‘Disjunctive  #1’,  is  based  on  the  disjunctive  normal  form  repre¬ 
sentation  described  in  section  7.1.  It  would  be  expected  that  this  would  produce  compact 
representations,  but  that  the  complex  simplification  algorithm  would  mean  that  it  would 
be  slow  for  large  expressions.  The  second  program  suite,  ‘Disjunctive  #2’,  uses  the  same 
representation  but  a  less  complex  simplifier.  The  simplification  step  described  in  sec¬ 
tion  7.1.3  is  omitted.  This  greatly  speeds  the  simplification  algorithm  (as  most  of  the  bits 
of  the  representation  can  be  processed  in  word-wide  units  and  not  individually),  but  at 
the  same  time  the  representations  will  contain  more  redundant  terms  and  are  therefore 
going  to  occupy  more  space.  It  would  therefore  be  expected  that  this  representation  should 
run  faster  than  the  first,  but  occupy  more  memory.  However  this  will  not  be  universally 
true,  as  it  is  possible  the  extra  redimdant  terms  in  the  representation  may  increase  the 
processing  load  to  the  point  at  which  this  representation  is  actuaUy  slower  than  the  original. 

The  final  suite  of  programs  are  based  on  the  modified  Shaimon  representation  (section  7.3). 
It  would  be  expected  that  this  would  be  very  much  faster  than  the  disjunctive  normsd  form 
programs,  but  occupy  far  more  memory.  Table  1  shows  the  three  program  suites  applied 
to  blocks  from  VIPER  (described  below).  For  each  block,  the  specification  and  implemen¬ 
tation  were  analysed  and  the  results  compared.  The  storage  requirement  is  the  maximum 
amount  of  memory  used  by  one  of  these  three  processes,  whilst  tlie  time  taken  is  the  sum 
of  the  three  processing  times  (CPU  time  on  a  DEC  VAX  6220). 
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Size 

Gates 

Disjunctive  #1 

Disjunctive  #2 

Shsmnon 

■a 

131 

El 

Store 

Time 

Store 

Time 

Store 

Time 

1  MINOR 

4 

3 

3 

16 

EQ 

1.6 

1.4 

1.3 

IBQ 

1.2 

3 

■a 

1 

32 

1.9 

beo 

2.4 

2.2 

1.8 

MAJOR 

10 

5^ 

43 

En 

19.7 

3.1 

28.1 

TIMING 

■a 

0 

4 

53 

m 

10.0 

WBM 

3.2 

iiiHaiTAVsia 

El 

■a 

2 

53 

mm 

beseq 

12.1 

5.1 

■a 

■a 

62 

207.5 

179.0 

DO 

■a 

IBO 

laiQ 

22.2 

22.2 

El 

El 

295 

Till 

81.9 

124.5 

El 

lai 

■nil 

Till 

519.1 

1  TOTAL 

2481.0 

1357.4 

436.5 

Size  =  Inputs  ;  delays  :  outputs  (all  boolean  equivalents) 
All  storage  in  Kwords,  all  times  in  seconds 


Table  1:  NODEN  applied  to  the  VIPER  microprocessor 

The  VIPER  microprocessor  is  broken  down  into  a  number  of  blocks  [Pygott  86],  the  ma¬ 
jority  of  which  are  shown  in  Table  1.  MINOR  and  TIMEOUT  are  essentially  three  and 
six  bit  counters  respectively.  MAJOR  is  a  sixteen  state  finite  state  machine.  TIMING  is  a 
piece  of  combinatorial  logic  from  nine  inputs  to  four  outputs.  BANDSTOP  calculates  the 
next  state  of  the  B  and  STOP  flags  from  various  information  from  the  ALU.  ‘4  BIT  ALU’ 
is  a  four  bit  slice  of  the  ALU,  with  13  arithmetic  and  logical  functions.  REGSEL  is  a 
4-way,  32-bit  wide  multiplexer.  DECODER  is  the  micro-instruction  decoder,  and  finally 
DATAREG  is  a  register  file  with  4  32-bit  and  2  20-bit  registers. 

As  can  be  seen  from  Table  1,  the  overall  behaviour  of  the  three  program  suites  is  as 
predicted.  The  second  disjunctive  form  programs  are  faster  than  the  first,  except  for 
TIMING  and  DECODER,  where  the  increased  expression  size  slows  the  processing  down 
more  than  the  reduction  in  the  simplifier  algorithm  gains.  The  modified  Shannon  form 
suite  is  faster  than  either  of  the  disjunctive  normal  form  suites,  with  the  notable  exception 
of  the  MAJOR  block.  This  is  anomalous  because  the  MAJOR  block  is  defined  in  terms 
of  a  CASE  statement  applied  to  the  current  state  of  the  MAJOR  finite  state  machine. 
However,  the  way  the  specification  is  written  causes  this  controlling  variable  to  appear  as 
the  last  input  defined.  As  can  be  seen  from  the  definition  of  the  Shaimon  representation, 
it  is  very  sensitive  to  the  order  of  inputs,  and  in  this  case  this  leads  to  rather  inefficient 
processing. 


9  Conclusions 

The  NODEN  hardware  analysis  suite  represents  a  practical  tool  to  perform  hardware 
verification  on  moderately  complex  blocks  of  logic.  As  has  been  demonstrated  on  the 
VIPER  blocks,  the  component  parts  of  a  complex  design  can  be  verified  in  a  matter  of 
CPU  minutes.  1  his  means  that  the  more  labour  intensive  algebraic  theorem  provers  or 
checkers  need  only  be  used  to  show  the  correct  behaviour  of  the  assembled  blocks. 
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